Thinkpoint virus

View previous topic View next topic Go down

Thinkpoint virus

Post by Marita Smith on 19th October 2010, 2:22 am

I downloaded all the updates you asked for until a message appeared that said exception processing message c0000013 parameters and a bunch of other numbers. Not sure what to do now.

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 19th October 2010, 4:06 am

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.] (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 19th October 2010, 11:33 am

ComboFix 10-10-18.03 - Smith 10/19/2010 6:47.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.615 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Spyware Doctor\Tools\swpg.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Smith\Application Data\hotfix.exe
c:\documents and settings\Smith\g2mdlhlpx.exe
c:\documents and settings\Smith\System
c:\documents and settings\Smith\System\win_qs8.jqx
c:\windows\Downloaded Program Files\RdXIe.dll
c:\windows\ipexozuv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_6to4
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:54 . 2010-10-17 12:54 -------- d-----w- c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2005-05-26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Mxinadomipu - c:\windows\dkbmpdet.dll
HKLM-Run-Syikudusiboqu - c:\windows\ipexozuv.dll



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866FA44C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf754af28
\Driver\ACPI -> ACPI.sys @ 0xf74bdcb8
\Driver\atapi -> atapi.sys @ 0xf73a2852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7319b0a
PacketIndicateHandler -> NDIS.sys @ 0xf7324a21
SendHandler -> NDIS.sys @ 0xf7319949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Smith\LOCALS~1\Temp\mc21.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'explorer.exe'(1004)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(524)
c:\program files\Spyware Doctor\Tools\swpg.dat
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\lxdmserv.exe
c:\windows\system32\lxdmcoms.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-10-19 07:25:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-19 11:25

Pre-Run: 3,208,052,736 bytes free
Post-Run: 5,206,360,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6366578AB3E60BD78D58960F4E950C99

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 19th October 2010, 11:35 am

The computer seems a lot faster now. Should I reactivate AVG antivirus now?

Thank you

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 19th October 2010, 5:48 pm

Your computer is not clean, yet.

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::

    File::
    c:\windows\Xcidahigafe.bin
    c:\documents and settings\Smith\Application Data\26662.bat

    Folder::
    c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}
    c:\documents and settings\All Users\Application Data\Update

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

    Driver::
    mchInjDrv
    hqgnf

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.





Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 19th October 2010, 6:09 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x866F2000 \WINDOWS\system32\KDCOM.DLL
0xF791A000 \WINDOWS\system32\BOOTVID.dll
0xF74B7000 ACPI.sys
0xF7A06000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74A6000 pci.sys
0xF7506000 isapnp.sys
0xF73D3000 hqgnf.sys
0xF7ACE000 pciide.sys
0xF7786000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7516000 MountMgr.sys
0xF73B4000 ftdisk.sys
0xF778E000 PartMgr.sys
0xF7526000 VolSnap.sys
0xF739C000 atapi.sys
0xF7536000 disk.sys
0xF7546000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737C000 fltmgr.sys
0xF736A000 sr.sys
0xF7346000 Fastfat.sys
0xF732F000 KSecDD.sys
0xF7302000 NDIS.sys
0xF7556000 uagp35.sys
0xF72E8000 Mup.sys
0xEF093000 \SystemRoot\system32\DRIVERS\processr.sys
0xB9E8A000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xB9E76000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xEF083000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xEF073000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9E53000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9DC0000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB9D9C000 \SystemRoot\system32\drivers\portcls.sys
0xEF063000 \SystemRoot\system32\drivers\drmk.sys
0xB9D3C000 \SystemRoot\system32\drivers\ALCXSENS.SYS
0xEF1B3000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9D18000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xEF1AB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xEF1A3000 \SystemRoot\system32\DRIVERS\sisnic.sys
0xB9C85000 \SystemRoot\system32\DRIVERS\Intels51.sys
0xEF19B000 \SystemRoot\System32\Drivers\Modem.SYS
0xEF193000 \SystemRoot\system32\DRIVERS\fdc.sys
0xEF053000 \SystemRoot\system32\DRIVERS\serial.sys
0xEF0DF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9C71000 \SystemRoot\system32\DRIVERS\parport.sys
0xEF043000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xEF18B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xEE1CA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xEE2C4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xEF033000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xEF0DB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9C5A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xEF023000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xEE847000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xEE1C2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9BF9000 \SystemRoot\system32\DRIVERS\psched.sys
0xEE837000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xEE1BA000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xEE1B2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xEE827000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB7D31000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB5016000 \SystemRoot\system32\DRIVERS\update.sys
0xEF57D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB602A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB600A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB7D2F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79F2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB57E5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB7D2D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB5410000 \SystemRoot\System32\Drivers\Null.SYS
0xB7D2B000 \SystemRoot\System32\Drivers\Beep.SYS
0xB57D5000 \SystemRoot\System32\drivers\vga.sys
0xB7D29000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB7D27000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB57CD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB57C5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEF569000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1AF1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1A98000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1A41000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB1A19000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB19F7000 \SystemRoot\System32\drivers\afd.sys
0xB5FEA000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF72A4000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xB19CC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1934000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB5FCA000 \SystemRoot\System32\Drivers\Fips.SYS
0xB190E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB5FBA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB57BD000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB18BE000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB4FEC000 \SystemRoot\system32\drivers\ftdibus.sys
0xB50E8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB18A8000 \SystemRoot\system32\drivers\ftser2k.sys
0xF79E6000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF79DA000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB55E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA5C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA6D0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1890000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB655F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE4B1000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9C3A000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C03000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEF5AD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB171B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5658000 \SystemRoot\system32\drivers\sysaudio.sys
0xB15BF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A20000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB14B6000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA606000 \??\C:\DOCUME~1\Smith\LOCALS~1\Temp\mbr.sys
0xB0F4D000 \SystemRoot\System32\Drivers\HTTP.sys
0xB5E38000 \??\C:\DOCUME~1\Smith\LOCALS~1\Temp\mc21.tmp
0xF7A38000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xB072D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\SMSS.EXE
524 C:\WINDOWS\system32\CSRSS.EXE
548 C:\WINDOWS\system32\WINLOGON.EXE
596 C:\WINDOWS\system32\SERVICES.EXE
608 C:\WINDOWS\system32\LSASS.EXE
760 C:\WINDOWS\system32\SVCHOST.EXE
840 C:\WINDOWS\system32\SVCHOST.EXE
1012 C:\Program Files\AVG\AVG9\AVGCHSVX.EXE
1020 C:\Program Files\AVG\AVG9\AVGRSX.EXE
1228 C:\WINDOWS\system32\SVCHOST.EXE
1292 C:\Program Files\AVG\AVG9\AVGCSRVX.EXE
1372 C:\WINDOWS\system32\SVCHOST.EXE
1628 C:\WINDOWS\system32\SPOOLSV.EXE
180 C:\WINDOWS\system32\SVCHOST.EXE
232 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
728 C:\Program Files\AVG\AVG9\AVGWDSVC.EXE
992 C:\Program Files\Java\JRE6\BIN\JQS.EXE
1108 C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXDMSERV.EXE
1176 C:\WINDOWS\system32\LXDMCOMS.EXE
1316 C:\WINDOWS\system32\SVCHOST.EXE
1760 C:\WINDOWS\system32\SVCHOST.EXE
1788 C:\WINDOWS\system32\SVCHOST.EXE
2352 C:\Program Files\AVG\AVG9\AVGEMC.EXE
2432 C:\Program Files\AVG\AVG9\AVGNSX.EXE
2672 C:\Program Files\AVG\AVG9\AVGCSRVX.EXE
3072 C:\WINDOWS\system32\ALG.EXE
3448 C:\WINDOWS\SOUNDMAN.EXE
3496 C:\Program Files\Lexmark 5000 Series\LXDMMON.EXE
3504 C:\Program Files\Lexmark 5000 Series\LXDMAMON.EXE
3528 C:\Program Files\AVG\AVG9\AVGTRAY.EXE
3596 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3684 C:\Program Files\Spyware Doctor\SWDOCTOR.EXE
3828 C:\Program Files\NETGEAR GA311 Adapter\GA311.EXE
1004 C:\WINDOWS\EXPLORER.EXE
3412 C:\Program Files\Messenger\MSMSGS.EXE
1616 C:\WINDOWS\system32\SVCHOST.EXE
3900 C:\Program Files\Avant Browser\AVANT.EXE
3572 C:\WINDOWS\system32\ctfmon.exe
2776 C:\Program Files\Outlook Express\MSIMN.EXE
860 C:\Documents and Settings\Smith\Local Settings\Temporary Internet Files\Content.IE5\9AS4MTYN\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST320015A, Rev: 3.03

Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 19th October 2010, 6:11 pm

I have lost my outlook express e-mail somewhere. My hotmail works fine.

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 19th October 2010, 6:12 pm

Now the log from ComboFix, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 19th October 2010, 6:56 pm

ComboFix 10-10-18.03 - Smith 10/19/2010 14:30:21.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.622 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Spyware Doctor\Tools\swpg.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\chrome.manifest
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\chrome\content\_cfg.js
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\chrome\content\overlay.xul
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\install.rdf
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2005-05-26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - [You must be registered and logged in to see this link.]
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8677444C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-19 14:53:56
ComboFix-quarantined-files.txt 2010-10-19 18:53
ComboFix2.txt 2010-10-19 11:25

Pre-Run: 5,107,777,536 bytes free
Post-Run: 5,195,726,848 bytes free

- - End Of File - - 413FD869DBC8329D1931DB89B1ED357C

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 20th October 2010, 8:08 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::
    File::
    c:\windows\Xcidahigafe.bin
    c:\documents and settings\Smith\Application Data\26662.bat

    Folder::
    c:\documents and settings\All Users\Application Data\Update

    DirLook::
    C:\FOUND.008
    C:\FOUND.009
    C:\

    MBR::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 20th October 2010, 11:25 am

Combo Fix is not launching for me this last time. yet

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 20th October 2010, 3:13 pm

ComboFix 10-10-18.03 - Smith 10/20/2010 10:42:20.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.738 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2005-05-26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - [You must be registered and logged in to see this link.]
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866F944C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Smith\LOCALS~1\Temp\mc21.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'explorer.exe'(868)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(532)
c:\program files\Spyware Doctor\Tools\swpg.dat
.
Completion time: 2010-10-20 11:09:03
ComboFix-quarantined-files.txt 2010-10-20 15:09
ComboFix2.txt 2010-10-19 18:54
ComboFix3.txt 2010-10-19 11:25

Pre-Run: 5,092,311,040 bytes free
Post-Run: 5,146,345,472 bytes free

- - End Of File - - E8325C6991DF88A9261484B38CF1B590

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 20th October 2010, 9:50 pm

That did not work right.

Make sure ComboFix and CFScript.txt is on your Desktop, then do this...

Go to Start > Run, and type this in and hit OK:

ComboFix "C:\Documents and Settings\Smith\Desktop\CFscript.txt"


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 21st October 2010, 3:15 am

ComboFix 10-10-18.03 - Smith 10/20/2010 22:47:23.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.735 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
Command switches used :: c:\documents and settings\Smith\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Spyware Doctor\Tools\swpg.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Smith\Application Data\Bitrix Security
c:\documents and settings\Smith\Application Data\Bitrix Security\kezpay
c:\documents and settings\Smith\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\Smith\Application Data\Bitrix Security\tuduewai.dll
c:\documents and settings\Smith\Application Data\Bitrix Security\tuduewai_shrd

.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{BCA4BCBE-EB6E-406B-B990-3BEBF3024B3B} - c:\documents and settings\Smith\Application Data\Bitrix Security\tuduewai.dll



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8677444C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-20 23:11:03
ComboFix-quarantined-files.txt 2010-10-21 03:11
ComboFix2.txt 2010-10-20 15:09
ComboFix3.txt 2010-10-19 18:54
ComboFix4.txt 2010-10-19 11:25

Pre-Run: 5,089,214,464 bytes free
Post-Run: 5,135,024,128 bytes free

- - End Of File - - 8BC06235976AAEB226DCC8392BD6CF8D

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 22nd October 2010, 3:14 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::
    File::
    c:\windows\Xcidahigafe.bin
    c:\documents and settings\Smith\Application Data\26662.bat

    Folder::
    c:\documents and settings\All Users\Application Data\Update

    DirLook::
    C:\FOUND.008
    C:\FOUND.009
    C:\

    MBR::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 22nd October 2010, 4:52 am

ComboFix 10-10-18.03 - Smith 10/22/2010 0:16.5.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.614 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
Command switches used :: c:\documents and settings\Smith\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-22 02:29 . 2010-10-22 02:29 -------- d-----w- C:\FOUND.010
2010-10-21 23:26 . 2010-10-21 23:26 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-22 04:12 . 2010-10-22 04:12 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
+ 2007-03-03 14:50 . 2010-10-21 23:26 29584 c:\windows\system32\drivers\avgmfx86.sys
+ 2008-07-25 12:19 . 2010-10-21 23:26 243024 c:\windows\system32\drivers\avgtdix.sys
+ 2008-07-25 12:19 . 2010-10-21 23:26 216400 c:\windows\system32\drivers\avgldx86.sys
+ 2009-03-13 22:36 . 2010-10-22 02:41 2242052 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-21 2067808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-10-21 23:26 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/21/2010 7:26 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/21/2010 7:26 PM 308136]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - [You must be registered and logged in to see this link.]
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8671544C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2476)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-22 00:51:03
ComboFix-quarantined-files.txt 2010-10-22 04:51
ComboFix2.txt 2010-10-21 03:11
ComboFix3.txt 2010-10-20 15:09
ComboFix4.txt 2010-10-19 18:54
ComboFix5.txt 2010-10-22 04:05

Pre-Run: 4,280,434,688 bytes free
Post-Run: 4,436,738,048 bytes free

- - End Of File - - 3A3B0D7F5E92341EB9172A62C55F5176

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 22nd October 2010, 8:53 am

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 22nd October 2010, 11:35 am

2010/10/22 07:32:54.0296 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/22 07:32:54.0296 ================================================================================
2010/10/22 07:32:54.0296 SystemInfo:
2010/10/22 07:32:54.0296
2010/10/22 07:32:54.0296 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/22 07:32:54.0296 Product type: Workstation
2010/10/22 07:32:54.0296 ComputerName: SMITH-1
2010/10/22 07:32:54.0296 UserName: Smith
2010/10/22 07:32:54.0296 Windows directory: C:\WINDOWS
2010/10/22 07:32:54.0296 System windows directory: C:\WINDOWS
2010/10/22 07:32:54.0296 Processor architecture: Intel x86
2010/10/22 07:32:54.0296 Number of processors: 1
2010/10/22 07:32:54.0296 Page size: 0x1000
2010/10/22 07:32:54.0296 Boot type: Normal boot
2010/10/22 07:32:54.0296 ================================================================================
2010/10/22 07:32:55.0734 Initialize success

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 22nd October 2010, 8:59 pm

Download [You must be registered and logged in to see this link.] to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 23rd October 2010, 2:28 am

I am not sure how to do this. Now I have the bootkit_removal download window stuck on my desktop and it won't close. The window is gone after I logged off. I tried to load it into adobe and it won't open it. I'm lost on what to do now. Sad tearing


Last edited by Marita Smith on 23rd October 2010, 2:08 pm; edited 1 time in total (Reason for editing : update message 10/23)

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 24th October 2010, 6:13 pm

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 25th October 2010, 1:34 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x866F2000 \WINDOWS\system32\KDCOM.DLL
0xF791A000 \WINDOWS\system32\BOOTVID.dll
0xF74B7000 ACPI.sys
0xF7A06000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74A6000 pci.sys
0xF7506000 isapnp.sys
0xF73D3000 hqgnf.sys
0xF7ACE000 pciide.sys
0xF7786000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7516000 MountMgr.sys
0xF73B4000 ftdisk.sys
0xF778E000 PartMgr.sys
0xF7526000 VolSnap.sys
0xF739C000 atapi.sys
0xF7536000 disk.sys
0xF7546000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737C000 fltmgr.sys
0xF736A000 sr.sys
0xF7346000 Fastfat.sys
0xF732F000 KSecDD.sys
0xF7302000 NDIS.sys
0xF7556000 uagp35.sys
0xF72E8000 Mup.sys
0xEF093000 \SystemRoot\system32\DRIVERS\processr.sys
0xB9E8A000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xB9E76000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xEF083000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xEF073000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9E53000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9DC0000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB9D9C000 \SystemRoot\system32\drivers\portcls.sys
0xEF063000 \SystemRoot\system32\drivers\drmk.sys
0xB9D3C000 \SystemRoot\system32\drivers\ALCXSENS.SYS
0xEF1B3000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9D18000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xEF1AB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xEF1A3000 \SystemRoot\system32\DRIVERS\sisnic.sys
0xB9C85000 \SystemRoot\system32\DRIVERS\Intels51.sys
0xEF19B000 \SystemRoot\System32\Drivers\Modem.SYS
0xEF193000 \SystemRoot\system32\DRIVERS\fdc.sys
0xEF053000 \SystemRoot\system32\DRIVERS\serial.sys
0xEF0DF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9C71000 \SystemRoot\system32\DRIVERS\parport.sys
0xEF043000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xEF18B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xEE1CA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xEE2C4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xEF033000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xEF0DB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9C5A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xEF023000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xEE847000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xEE1C2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9BF9000 \SystemRoot\system32\DRIVERS\psched.sys
0xEE837000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xEE1BA000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xEE1B2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xEE827000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB7D31000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB5016000 \SystemRoot\system32\DRIVERS\update.sys
0xEF57D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB602A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB600A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB7D2F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79F2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB57E5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB7D2D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB5410000 \SystemRoot\System32\Drivers\Null.SYS
0xB7D2B000 \SystemRoot\System32\Drivers\Beep.SYS
0xB57D5000 \SystemRoot\System32\drivers\vga.sys
0xB7D29000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB7D27000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB57CD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB57C5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEF569000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1AF1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1A98000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1A41000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB1A19000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB19F7000 \SystemRoot\System32\drivers\afd.sys
0xB5FEA000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF72A4000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xB19CC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1934000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB5FCA000 \SystemRoot\System32\Drivers\Fips.SYS
0xB190E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB5FBA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB57BD000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB18BE000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB4FEC000 \SystemRoot\system32\drivers\ftdibus.sys
0xB50E8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB18A8000 \SystemRoot\system32\drivers\ftser2k.sys
0xF79E6000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF79DA000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB55E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA5C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA6D0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1890000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB655F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE4B1000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9C3A000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C03000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEF5AD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB171B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5658000 \SystemRoot\system32\drivers\sysaudio.sys
0xB15BF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A20000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB14B6000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA606000 \??\C:\DOCUME~1\Smith\LOCALS~1\Temp\mbr.sys
0xB0F4D000 \SystemRoot\System32\Drivers\HTTP.sys
0xB5E38000 \??\C:\DOCUME~1\Smith\LOCALS~1\Temp\mc21.tmp
0xF7A38000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xB072D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\SMSS.EXE
524 C:\WINDOWS\system32\CSRSS.EXE
548 C:\WINDOWS\system32\WINLOGON.EXE
596 C:\WINDOWS\system32\SERVICES.EXE
608 C:\WINDOWS\system32\LSASS.EXE
760 C:\WINDOWS\system32\SVCHOST.EXE
840 C:\WINDOWS\system32\SVCHOST.EXE
1012 C:\Program Files\AVG\AVG9\AVGCHSVX.EXE
1020 C:\Program Files\AVG\AVG9\AVGRSX.EXE
1228 C:\WINDOWS\system32\SVCHOST.EXE
1292 C:\Program Files\AVG\AVG9\AVGCSRVX.EXE
1372 C:\WINDOWS\system32\SVCHOST.EXE
1628 C:\WINDOWS\system32\SPOOLSV.EXE
180 C:\WINDOWS\system32\SVCHOST.EXE
232 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
728 C:\Program Files\AVG\AVG9\AVGWDSVC.EXE
992 C:\Program Files\Java\JRE6\BIN\JQS.EXE
1108 C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXDMSERV.EXE
1176 C:\WINDOWS\system32\LXDMCOMS.EXE
1316 C:\WINDOWS\system32\SVCHOST.EXE
1760 C:\WINDOWS\system32\SVCHOST.EXE
1788 C:\WINDOWS\system32\SVCHOST.EXE
2352 C:\Program Files\AVG\AVG9\AVGEMC.EXE
2432 C:\Program Files\AVG\AVG9\AVGNSX.EXE
2672 C:\Program Files\AVG\AVG9\AVGCSRVX.EXE
3072 C:\WINDOWS\system32\ALG.EXE
3448 C:\WINDOWS\SOUNDMAN.EXE
3496 C:\Program Files\Lexmark 5000 Series\LXDMMON.EXE
3504 C:\Program Files\Lexmark 5000 Series\LXDMAMON.EXE
3528 C:\Program Files\AVG\AVG9\AVGTRAY.EXE
3596 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3684 C:\Program Files\Spyware Doctor\SWDOCTOR.EXE
3828 C:\Program Files\NETGEAR GA311 Adapter\GA311.EXE
1004 C:\WINDOWS\EXPLORER.EXE
3412 C:\Program Files\Messenger\MSMSGS.EXE
1616 C:\WINDOWS\system32\SVCHOST.EXE
3900 C:\Program Files\Avant Browser\AVANT.EXE
3572 C:\WINDOWS\system32\ctfmon.exe
2776 C:\Program Files\Outlook Express\MSIMN.EXE
860 C:\Documents and Settings\Smith\Local Settings\Temporary Internet Files\Content.IE5\9AS4MTYN\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST320015A, Rev: 3.03

Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 25th October 2010, 6:35 pm

What settings do I need to get video back. I can't play any U-Tube things at all. Also, the background colors on most of my pages changed. For instance, Hotmail has purple color on the file side. Messages side is normal. I am not sure if the sounds work correctly or not.

The computer is much faster than before and I have not had that think point thing pop up at all.

Is AVG ok to use. Is there some virus program you can recommend thats better to use. Avast maybe?

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 25th October 2010, 8:37 pm

Avast would work.

As for the videos, let's try this first and see if it helps. Let me know.

Please download [You must be registered and logged in to see this link.] by DragonMaster Jay, and save it to your Desktop. Right click and Extract All, and save the files to your Desktop.
  • Please disable realtime protection. The only realtime protection that gets in the way and need to be disabled: Windows Defender, Microsoft Security Essentials, Spybot TeaTimer, WinPatrol, and Ad-Aware AdWatch. If you have anyone of those, please disable them.
  • Double-click DragonFix.reg, and follow the prompt(s).
  • Please reboot your computer.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Marita Smith on 26th October 2010, 1:52 pm

That didn't seem to work.
Also, I tried to download avast and it blue screened my computer and rebooted itself.

Does microsoft or adobe player work? I don't know which one would be the best. Is there one better? thanks

Marita Smith
Novice
Novice

Posts Posts : 15
Joined Joined : 2010-10-18
OS OS : windows xp
Points Points : 22673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Thinkpoint virus

Post by Dr Jay on 28th October 2010, 4:25 am

Microsoft Silverlight is for Silverlight apps only.

Adobe Flash Player is for flash videos.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum